Re: Problems with certs
On 01/29/2010 01:21 PM, Steve Huston wrote: Just as a separate data point I have RHEL 5 w/ valid certs created per the instructions given. If I step through those instructions manually I also get valid certs and can successfully run perftest against the broker using ssl. Perhaps there is an issue with the script(?). - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
Re: Problems with certs
On Fri, 2010-01-29 at 16:24 +, Gordon Sim wrote: On 01/29/2010 01:21 PM, Steve Huston wrote: Just as a separate data point I have RHEL 5 w/ valid certs created per the instructions given. If I step through those instructions manually I also get valid certs and can successfully run perftest against the broker using ssl. Perhaps there is an issue with the script(?). Always possible, even likely. I started by stepping through that page by hand; I wrote the script because I kept failing at it and wanted to make sure I was doing stuff consistently. Are there any tools around for diagnosing what's different about this set of certs vs that other set of certs? - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
Re: Problems with certs
On 01/29/2010 04:46 PM, john dunning wrote: On Fri, 2010-01-29 at 16:24 +, Gordon Sim wrote: On 01/29/2010 01:21 PM, Steve Huston wrote: Just as a separate data point I have RHEL 5 w/ valid certs created per the instructions given. If I step through those instructions manually I also get valid certs and can successfully run perftest against the broker using ssl. Perhaps there is an issue with the script(?). Always possible, even likely. I started by stepping through that page by hand; I wrote the script because I kept failing at it and wanted to make sure I was doing stuff consistently. Are there any tools around for diagnosing what's different about this set of certs vs that other set of certs? certutil itself is the only one I know of - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
Re: Problems with certs
On Fri, 2010-01-29 at 16:51 +, Gordon Sim wrote: On 01/29/2010 04:46 PM, john dunning wrote: Are there any tools around for diagnosing what's different about this set of certs vs that other set of certs? certutil itself is the only one I know of Can you tar up your certs that you did by hand and fling them at me? Perhaps I can tell something by printing them with certutil and look for discrepancies between yours and mine. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
Re: Problems with certs
On 01/29/2010 04:46 PM, john dunning wrote: On Fri, 2010-01-29 at 16:24 +, Gordon Sim wrote: On 01/29/2010 01:21 PM, Steve Huston wrote: Just as a separate data point I have RHEL 5 w/ valid certs created per the instructions given. If I step through those instructions manually I also get valid certs and can successfully run perftest against the broker using ssl. Perhaps there is an issue with the script(?). Always possible, even likely. I think I've found the issue. The script doesn't select 'Server Auth' and 'Client Auth' when issuing and signing the server/client certificates. E.g. it should be: x certutil -C -d $dir/CA_db -c $ca_pretty_name -a -i $dir/server_db/server.req -o $dir/server_db/server.crt -f $dir/cert.password -z $dir/random -2 -6 EOF 0 9 n n -1 EOF and: x certutil -C -d $dir/CA_db -c $ca_pretty_name -a -i $dir/client_db/client.req -o $dir/client_db/client.crt -f $dir/cert.password -z $dir/random -2 -6 EOF 1 9 n n -1 n EOF (Where 0 selects server auth and 1 selects client auth). With that change then verification of the generated certs works and (providing you have the right hostname for the cert and use that when connecting) I can get perftest to run over ssl using the certs generated by the script. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
Re: Problems with certs
On Fri, 2010-01-29 at 19:34 +, Gordon Sim wrote: On 01/29/2010 04:46 PM, john dunning wrote: On Fri, 2010-01-29 at 16:24 +, Gordon Sim wrote: On 01/29/2010 01:21 PM, Steve Huston wrote: Just as a separate data point I have RHEL 5 w/ valid certs created per the instructions given. If I step through those instructions manually I also get valid certs and can successfully run perftest against the broker using ssl. Perhaps there is an issue with the script(?). Always possible, even likely. I think I've found the issue. The script doesn't select 'Server Auth' and 'Client Auth' when issuing and signing the server/client certificates. E.g. it should be: Cool! Thank you! I'll try it when I get untangled from the bug I'm looking at now. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
Re: Problems with certs
On 01/27/2010 06:31 PM, john dunning wrote: Hi all. While trying to test something else, I attempted to set up my qpidd with some certs, according to the instructions in http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html I'm losing big time; I can start qpidd ok, but when I try to connect to it, both client and server flame, with errors like this: 2010-01-27 12:49:23 error Error reading socket: Unknown error 18446744073709551615(-1) That error does seem to be a regression of some sort; on an earlier version I get the following logged on the broker: 2010-jan-29 07:21:49 error Could not accept socket: Failed: SSL peer cannot verify your certificate. [-12271] (qpid/sy/ssl/SslSocket.cpp:123) My initial guess would be that perhaps changes around the connection code have broken correct error handling in some way (or for some conditions). I've kicked it around with some folks around here, and the concensus is that either there's something non-obvious wrong with my certs, or a new bug has crept into the code. I believe the ssl tests do not include testing certs of the form produced by the above instructions. Does anybody have insight/experience running this way? I originally created the certs by hand, but ended up re-doing it enough times that it was worth it to write it down. Attached is the script I've been using generate the certs; it's essentially a transcription of the instructions in the above page. After running that script on rhel5 (nss-tools-3.12.3.99.3-1.el5_3.2) and then trying to verify the certs as per the page you link to above, I get: certutil: certificate is invalid: Certificate type not approved for application. Do you see the same? If so that suggests On f11 (nss-tools-3.12.4-3.fc11.i586) the script fails mid way through with an error: certutil -A -d ./server_db -n redhat.com -a -i ./server_db/server.crt -t ,, -f ./cert.password -z ./random certutil: could not obtain certificate from file: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. Error 255 - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
RE: Problems with certs
Just as a separate data point I have RHEL 5 w/ valid certs created per the instructions given. I'm losing big time; I can start qpidd ok, but when I try to connect to it, both client and server flame, with errors like this: 2010-01-27 12:49:23 error Error reading socket: Unknown error 18446744073709551615(-1) When doing some initial testing from Linux client to Windows broker, I get this same message (or something very close) on the Linux client. That error does seem to be a regression of some sort; on an earlier version I get the following logged on the broker: 2010-jan-29 07:21:49 error Could not accept socket: Failed: SSL peer cannot verify your certificate. [-12271] (qpid/sy/ssl/SslSocket.cpp:123) My initial guess would be that perhaps changes around the connection code have broken correct error handling in some way (or for some conditions). Right... Getting that latter message would have been very helpful :-) -Steve - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
Re: Problems with certs
On Wed, 2010-01-27 at 13:31 -0500, john dunning wrote: Hi all. While trying to test something else, I attempted to set up my qpidd with some certs, according to the instructions in http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html I'm losing big time; I can start qpidd ok, but when I try to connect to it, both client and server flame, with errors like this: 2010-01-27 12:49:23 error Error reading socket: Unknown error 18446744073709551615(-1) I've kicked it around with some folks around here, and the concensus is that either there's something non-obvious wrong with my certs, or a new bug has crept into the code. If this is a bug it's not a new one I was seeing that (or a similar error) for months instead of the ssl test succeeding during make check, at some point someone changed the ssl testing and I stopped getting this message. I think that before it was something to do with not correctly generating certificates. It may have been related to multiple interfaces/hostnames on the test machine, or matching up the certificate name to the hostname. There is a bug here though for sure and that is the error message is useless. Andrew - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
Re: Problems with certs
On Wed, 2010-01-27 at 13:47 -0500, Andrew Stitcher wrote: On Wed, 2010-01-27 at 13:31 -0500, john dunning wrote: Hi all. While trying to test something else, I attempted to set up my qpidd with some certs, according to the instructions in http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html I'm losing big time; I can start qpidd ok, but when I try to connect to it, both client and server flame, with errors like this: 2010-01-27 12:49:23 error Error reading socket: Unknown error 18446744073709551615(-1) I've kicked it around with some folks around here, and the concensus is that either there's something non-obvious wrong with my certs, or a new bug has crept into the code. If this is a bug it's not a new one I was seeing that (or a similar error) for months instead of the ssl test succeeding during make check, at some point someone changed the ssl testing and I stopped getting this message. Huh. Do you by chance remember when the symptom went away? I might be able to learn something by spelunking in the checkin logs. The certs used for the ssl testing part of make check seem to be rather simpler than the ones described in the referenced page. I think that before it was something to do with not correctly generating certificates. It may have been related to multiple interfaces/hostnames on the test machine, or matching up the certificate name to the hostname. Interesting. It's definitely the case that qpidd is sensitive to cert characteristics like owner name. If I generate the cert with the wrong one, it gripes in a different, somewhat less obscure way. There is a bug here though for sure and that is the error message is useless. Yeah, no kidding. I ran stuff in the debugger, enough to ascertain that it's croaking in a place where it clearly doesn't expect that anything could go wrong. I think it's ending up throwing some kind of generic this can't happen exception. If I get further insight into what the real root cause of the lossage it, I'll see if there's a way to make the error reporting at least give some kind of a hint on what to check for. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org